Network Codes Resilient to Jamming and Eavesdropping

Transcription

1 Network Codes Resilient to Jamming and Eavesdropping Hongyi Yao Danilo Silva Sidharth Jaggi Michael Langberg Tsinghua University State University of Campinas Chinese University of Hong Kong The Open University of Israel arxiv: v3 [cs.ni] 25 Apr 2010 Abstract We consider the problem of communicating information over a network secretly and reliably in the presence of a hidden adversary who can eavesdrop and inject malicious errors. We provide polynomial-time, rate-optimal distributed network codes for this scenario, improving on the rates achievable in [1]. Our main contribution shows that as long as the sum of the adversary s jamming rate Z O and his eavesdropping rate Z I is less than the network capacity C, (i.e., Z O + Z I < C), our codes can communicate (with vanishingly small error probability) a single bit correctly and without leaking any information to the adversary. We then use this to design codes that allow communication at the optimal source rate of C Z O Z I, while keeping the communicated message secret from the adversary. Interior nodes are oblivious to the presence of adversaries and perform random linear network coding; only the source and destination need to be tweaked. In proving our results we correct an error in prior work [2] by a subset of the authors in this work. I. INTRODUCTION A source Alice wishes to transmit information to a receiver Bob over a network containing a malicious adversary Calvin. Such scenarios face at least two challenges Calvin might eavesdrop on private communications, or he might disrupt communications by injecting fake information into the network. In the network coding model this second danger may be even more pronounced since all nodes, including honest ones, mix information. In this case, even a small number of fake packets injected by Calvin may end up corrupting all the information flowing in the network, causing decoding errors. In this work we consider the secrecy and error control issues together. Namely, we design schemes that allow reliable network communications in the presence of an adversary that can both jam and eavesdrop, without leaking information to him. In particular, suppose the network s min-cut from Alice to Bob is C, and Calvin eavesdrops on Z I links and corrupts Z O links 1. We demonstrate schemes that are distributed, The work of Hongyi Yao was supported in part by National Natural Science Foundation of China Grant , the National Basic Research Program of China Grant 2007CB and 2007CB The work of Danilo Silva was supported by FAPESP grant 2009/ The work of Sidharth Jaggi was supported RGC GRF grant , , and , RGC AoE grant on Institute of Network Coding, established under the University Grant Committee of Hong Kong, CUHK MoE-Microsoft Key Laboratory of Humancentric Computing and Interface Technologies, Direct Grant (Project Number ) of The Chinese University of Hong Kong, and two gift grants from Microsoft and Cisco. The work of Michael Langberg was supported in part by ISF grant 480/08. 1 We consider a model where network links rather than nodes are eavesdropped and corrupted; eavesdropping on a node is equivalent to eavesdropping on links incoming to it, and corrupting a node is equivalent to corrupting the links outgoing from it. computationally efficient to design and implement, and can be used to communicate a single bit secretly and without error. We then use this scheme as a tool to improve on prior work [3], and achieve a provably optimal rate of C Z O Z I. Related problems have been considered in the past. Prior results may be classified in the following three categories. For networks containing adversaries that only eavesdrop on some links (without jamming transmissions), the work of [4] provided a tight information-theoretic characterization of the secrecy capacity, i.e., the optimal rate achievable without leaking any of Alice s information to Calvin. Efficient schemes achieving this performance were proposed by [5] [7]. Cryptographically (but not information-theoretically) secret schemes for this scenario were also considered in [8]. For networks containing adversaries with unlimited eavesdropping capabilities and limited jamming capabilities, prior related work has focused primarily on the detection of Byzantine errors [9], non-constructive bounds on the achievable zeroerror rates [10], [11], and network error-correcting codes [12] (which have high design complexity) and [2], [3], [13], [14] (which have low design complexity). Results for this setting are also available under cryptographic assumptions [15], [16]. The scenario closest to the one considered in this work, with limitations on both Calvin s eavesdropping power Z I and his jamming power Z O, have been considered in [1] [3], [17], [18]. Under the requirement of zero error probability, the maximum rate of secret and reliable communication is given by C 2Z O Z I. Schemes achieving this rate have been proposed in [1], [18] (high design complexity schemes) and [17], [19], [20] (low design complexity schemes). The optimality of such a rate has been shown in [1] for singleletter coding and in [20] for block coding. If the requirement of zero error probability is relaxed to vanishingly small error probability, as considered here, then higher rates may be achieved. In particular, the work in [3] provided computationally efficient communication schemes (but with no guarantees on secrecy) at rate C Z O as long as the technical requirement C > 2Z O + Z I was satisfied. Work by a subset of the authors of this paper claimed in [2] to improve this technical requirement to C > Z O + Z I. As we demonstrate in Section VIII, prior proof of the claim was incorrect, and Section II gives a correct proof of the claim. Combining these results with the secrecy scheme of [7] allows us to obtain the optimal rate of C Z O Z I when secrecy constraints are incorporated.

2 II. MAIN RESULTS The main results of this work are Theorems 1 and 2. Theorem 1: If C > Z O Z I then Alice can communicate a single bit correctly to Bob (while keeping it secret from Calvin) using codes of computational complexity O(poly(C,log 2 q)) and error probability O(q C ). Combining the codes in Theorem 1 with the shared-secret codes in [3] then gives us the following theorem. Theorem 2: No rate higher than C Z O Z I is achievable. A rate of C Z O Z I is achievable with codes of computational complexity O(npoly(C,log 2 q)). Note: In [1], Ngai et al show that C 2Z O Z I is an upper bound on the rate, assuming no error events, and single-letter coding (respectively equations (87) and (65) in their proof). Our work achieves higher rates by instead assuming asymptotically negligible probability of error, and block coding. A. High-level overview of proofs and techniques We first show in Section IV that C Z O Z I is an upper bound on the rate at which a secret message can be correctly transmitted from Alice to Bob, by demonstrating an attack that Calvin can use to successfully disrupt communication if Alice tries to communicate at any higher rate. We then construct efficient codes that essentially achieve rate C Z O Z I. Our codes consist of the three layers described below. All the three layers are embedded along with Alice s message into her packets and then transmitted through the network using random linear network codes. Secret-sharing layer: In Section VI we first prove Theorem 1 by showing how to communicate a single bit secretly and correctly over a network containing adversaries that can jam and eavesdrop, as long as C > Z I + Z O. This layer is important for the error-control layer described later, and can be implemented via a small header appended to each network coded packet. When k secret bits are to be shared, the scheme is repeated k times in each transmitted packet header, for a secret-sharing header of total length C + kc(c Z I ). The secret-sharing layer consisting of the following components: 1. Identity matrix: As standard in random linear network coding [21], [13], the identity matrixi C is appended to convey to the receiver information about the linear transform induced by the random linear network code. 2. Bit matrices: For each secret bit, i {1,...,k}, if the ith secret bit equals 0, the (C Z I ) C(C Z I ) matrix S i (over F q ) is chosen as a zero matrix; otherwise, S i is chosen independently and uniformly at random from all (C Z I ) C(C Z I ) matrices. We refer to S i as a bit matrix. The idea is that the rank of the matrices corresponding to bit 0 is much smaller than the rank of the matrices corresponding to bit 1 due to the limitation on the numbers of packets Calvin can observe or inject, with high probability he cannot change the rank of the corresponding received matrix by too much. Details are given in Lemma 3. 3.Random matrix: Alice adapts the scheme of [7] to keep the bit matrices secret from Calvin. That is, for each secret bit i that Alice wishes to communicate to Bob, she combines the bit matrix S i with a random noise matrix N i (at rate Z I ). It can be shown that it is impossible for Calvin to glean any useful information (since it can only eavesdrop at rate Z I ). Section VII combines the secrecy layer with the two other layers described below to complete our code construction. Secrecy layer: As done with the random matrices N i in the secret-sharing layer above, a random matrix N is used to preserve the secrecy of the source message S (of rate C Z O Z I ), yielding a encoded matrix M (of rate C Z O ). Error control layer: In this layer Alice uses the sharedsecret scheme outlined in Theorem 1 of [3]. That is, Alice first takes a secret linear hash to her secrecy-encoded message M to generate a small hash value. Both the linear hash and the resulting hash value (say k bits in all) are transmitted to Bob using the secret-sharing layer. Alice then combines her data with a zero-value matrix (of rate Z O ), such that Bob can use the secret hash to distill Alice s codeword M from the corrupted information reaching the destination. Vis-a-vis our secret-sharing scheme of Section VI, the work of [2] (by a subset of the authors of this work) claimed to have the same result. However, we show in Section VIII that the scheme proposed in [2] is incorrect by giving an attack that Calvin can use to ensure that Bob has a significant probability of decoding error. III. NETWORK MODEL AND PROBLEM STATEMENT We use the general model proposed in [3]. To simplify notation we consider only the problem of communicating from a single source to a single destination 2. A. Network Model Alice communicates to Bob over a network with an attacker (adversary) Calvin hidden somewhere in it. Calvin aims to disrupt the transfer of information from Alice to Bob and in the meantime eavesdrop the information Alice sends. He can observe some of the transmissions, and can inject his own fake transmissions. Calvin is computationally unbounded, knows the encoding and decoding schemes of Alice and Bob, and the network code implemented by the interior nodes. He also knows the network topology, and he gets to choose which network links to eavesdrop on and which ones to corrupt. The network is modeled as a directed and delay-free graph whose edges each have capacity equal to one symbol of a finite field of size q, F q, per unit time 3. All computations are over F q. The network capacity, denoted by C, is the min-cut from source to destination 4. 2 Similarly to many network coding algorithms, our techniques generalize to multicast problems. 3 For ease of presentation edges with non-unit capacities are not considered here (as in [3], they may be modeled via block coding and parallel edges). 4 For the corresponding multicast case, C is defined as the minimum of the min-cuts over all destinations. It is well-known that C also equals the time-average of the maximum number of packets that can be delivered from Alice to Bob, assuming no adversarial interference, i.e., the max flow.

3 Each packet contains n symbols from F q. Alice s message is denoted S S. To send this to Bob over the network, Alice encodes it into a matrixx Fq C n, possibly using a stochastic encoder 5. The i th row in X is Alice s i th packet. As in [21], Alice and internal nodes in take random linear combinations of their observed packets to generate their transmitted packets. Analogously to how Alice generates X, Bob organizes received packets into a matrix Y. The i th received packet corresponds to the i th row of Y. The random linear network code used by Alice and all internal nodes induces a linear transform A from X to Y, such that Y = AX when no error is induced by the adversary 6. Thus Y is a matrix in Fq C n, and A Fq C C. Hereafter we assume that the matrix A is invertible, which happens with high probability if q is sufficiently large [21]. Calvin can eavesdrop on Z I edges, and can inject (possibly fake) information at Z O locations 7, in the network. The matrix received by Bob is then Y = AX + Z, where Z corresponds to the information injected by Calvin as seen by Bob. Note that the limitation of Calvin s jamming capacity implies that rank(z) Z O. Similarly, Calvin s observation can be described as a matrix W = BX, where B F ZI C q is the linear transform undertaken by X as seen by Calvin. B. Problem Statement Alice wishes to communicate with Bob with perfect secrecy and vanishingly small error probability. That is, Alice s scheme is perfectly secret if I(S;W) = 0 B F ZI C q (1) i.e., Calvin obtains no information about Alice s message. The error probability is the probability that Bob s reconstruction Ŝ of Alice s information S is inaccurate, i.e., P[Ŝ S]. We consider the error probability of the worst-case scenario 8. Namely, a scheme has error probability less than ǫ if P[Ŝ S] < ǫ A,Z, where A is assumed to be nonsingular, and rank(z) Z O. The rate R of a scheme is the number of information bits of information Alice transmits to Bob, amortized by the size of a packet in bits, i.e., R = 1 n log q S. The rate R is said to be achievable if for any ǫ > 0, any δ > 0, and sufficiently large n, there exists a perfectly secret block-length-n network code with rate at least R δ and a probability of error less than ǫ. IV. CONVERSE FOR THEOREM 2 We start by presenting an attack that Calvin may use to force the achievable rate to at most C Z O Z I, thereby 5 The random coin tosses made by Alice as part of her encoding scheme are not known to either Calvin or Bob. 6 For the ease of notation we assume Bob removes redundant incoming edges so that the number of edges reaching Bob equals the min-cut capacity C from Alice to Bob. 7 We assume throughout that the information injected into the network by Calvin is added to the original information transmitted (here we consider addition over our field F q). 8 Our interest is to design communication schemes that do not rely on the specific network topology or network code used. TABLE I SUMMARY OF COMMONLY USED NOTATION Notation C Z I Z O n q = q C Meaning Capacity Eavesdropping rate Jamming rate Packet length Field size Extension field size demonstrating that this is indeed an upper bound on the achievable rate. Let {e 1,e 2,...,e C } be a set of edges that form a cut from Alice to Bob. Calvin jams the edges in {e 1,e 2,...,e ZO } by adding random errors on them. Further, Calvin eavesdrops on edges in {e ZO+1,e ZO+2,...,e ZO+Z I }. Let X be the random variable denoting Alice s information. Let Y j, Y e, and Y u be the random variables denoting the packets carried by the jammed edges {e 1,e 2,...,e ZO }, eavesdropped edges {e ZO+1,e ZO+2,...,e ZO+Z I }, and untouched edges {e ZO+Z I+1,e ZO+Z I+2,...,e C } respectively. Let Y be the random variable denoting the packets received by Bob. Then nr = H(X) = H(X Y)+I(X;Y) (2) 1+ǫnR+I(X;Y) (3) 1+ǫnR+I(X;Y j,y e,y u ) (4) = 1+ǫnR+I(X;Y e,y u ) (5) = 1+ǫnR+I(X;Y e )+I(X;Y u Y e ) (6) = 1+ǫnR+I(X;Y u Y e ) (7) 1+ǫnR+H(Y u ) (8) [ n (C Z I Z O )+ǫr+ 1 ]. (9) n Here (2) follows from the fact that Alice s message is uniformly distributed overx, (3) from Fano s inequality, (4) from the data processing inequality, (5) since Calvin adds random noise on the edges he jams and so Y j is independent of (X,Y e,y u ), (6) by the chain rule for mutual information, (7) from the fact that information-theoretic secrecy is required and so I(X;Y e ) = 0, (8) by the fact that conditioning reduces entropy and the definition of mutual information, and finally (9) by the fact that there are at most C Z I Z O links corresponding to the random variable Y u and the alphabetsize upper bound on entropy. Requiring ǫ 0 as n gives the required result. A. Secrecy Coding V. AUXILIARY TOOLS Consider a special case of the problem where Calvin can eavesdrop Z I < C packets but cannot jam any packets (Z O = 0). Below, we review a construction of a perfectly secret scheme that asymptotically achieves the maximum possible rate (i.e., the secrecy capacity) R = C Z I. The scheme, proposed in [7], is based on MRD codes. (For more details on MRD codes, see [7].)

4 Let = q C and let F be an extension field of F q. Let φ : F F 1 C q be a vector space isomorphism. In addition, let φ m,n : F m n F m Cn q be a vector space [ isomorphism such that the ith row of φ m,n (X) is given by φ(xi,1 ) φ(x i,n ) ]. In other words, we expand each element of X F m n as a length-c row vector over F q (with the number of columns in matrix increasing accordingly). We will omit the subscript from φ m,n when the dimensions of the argument are clear from the context. Let H F (C ZI) C be the parity-check matrix of a [C,Z I ] linear MRD code over F. Let T F C C be an invertible matrix chosen such that the first C Z I rows of T 1 are equal to H. Assume that n is divisible by C and let n = n/c 1. In order to encode a given message S F (C ZI) n, Alice first generates a random matrix N F ZI n uniformly and independently from any other variables. Then, she computes X = [ I C φ(x) ] [ S, where x = T. N] After receiving Y = AX = [ A Aφ(x) ], Bob computes X = A 1 Y to recover x = φ 1 (φ(x)). Then, Bob can easily obtain S since, by construction, S = Hx. Recall that Calvin s observation is given by W = BX, where B F ZI C q. According to Theorem 4 of [7], we have that I(S;W) = 0 for all B, and therefore (1) is satisfied. Thus, the scheme is indeed perfectly secret. The decoding complexity is given by O(nC 2 ) operations in F, which can be done in O(nC 4 ) operations in F q. B. Error Control under a Shared Secret Model Consider now the case where Calvin can jam Z O < C packets and eavesdrop any number of packets he choose. However, we drop the requirement of secret communication, i.e., all we require is that Bob can decode correctly. In addition, suppose the existence of a low rate side channel, which Calvin cannot access, that enables Alice to transmit to Bob a small secret S. Below, we review a coding scheme presented in [3] that can asymptotically achieve the maximum possible rate R = C Z O. Let b = C Z O. We first describe how Alice produces the secret bit stringsbased on a given messagem Fq b (n b). To begin with, she generates α = bc+1 symbols ρ 1,ρ 2,...,ρ α F q independently and uniformly at random. Let P Fq n α be the matrix given by P (i,j) = (ρ j ) i. Then, she computes a matrix H = XP F b α q, where X = [ I b M ]. The tuple(ρ 1,ρ 2,...,ρ α,h), consisting in total of α(b+1) symbols in F q, comprises the message hash that should be secretly transmitted to Bob. The bit representation of this tuple yields the string S {0,1} k, consisting of k = α(b + 1)log 2 q bits. Over [ ] the[ main channel, ] Alice transmits the C n matrix X Ib M X = = Assuming that (ρ 1,ρ 2,...,ρ α,h) is secretly and correctly received by Bob, let us proceed to the description of Bob s decoder. First, Bob reconstructs the matrix P. Bob obtains Y = AX +Z, where Z Fq C n can also be written as Y = à X +Z, where has rank at most Z O. This à consists of the firstbcolumns ofa. LetȲ be the reduced row echelon form of Y. It is shown in [3] that, with probability at least 1 O(1/q) for any fixed network, X can be written as X = U Ȳ for some U F b C q. It is also shown in [3] that, with probability at least 1 n α /q, the system UȲP = H has a unique solution in U. Bob solves this system to find U, computes X = UȲ and finally recovers M. Overall, the probability of error of the scheme is at most n α /q +O(1/q) = O(n C2 /q), while the decoding complexity is O(nC 3 ) operations in F q. VI. SENDING A SINGLE BIT SECRETLY AND RELIABLY Let C = C Z I. In this section, we show how Alice can transmit a secret bit reliably to Bob when C > Z I +Z O. We assume that n = C(1 + C ), as this is the smallest packet length required for the scheme to work. Larger packet lengths can be easily handled by zero-padding the transmitted packets. Let T F C C and H F C C be as given in Section V-A. A. Alice s encoder Initially, Alice chooses a matrix S F C C according to her secret bit: if the bit is 1, she picks S uniformly at random; otherwise, if the bit is 0, she sets S = 0. Then, she sends S to Bob using the secrecy scheme described in Section V-A. More precisely, she transmits X = [ I C φ(x) ] [, S where x = T and N F N] ZI C is a uniformly random matrix chosen independently from S. B. Bob s decoder Recall that Bob receives a matrix Y = AX + Z, where A Fq C C is nonsingular and Z F C C(1+C ) q has rank at most Z O. Let Ȳ denote the reduced row echelon form of Y. Consider first the case where Ȳ = [ I φ(r) ], for some r F C C. It is possible to show that Hr = S +E, where E F C C is a matrix of rank at most Z O. As will be shown later, with high probability, Hr is full-rank if and only if Alice s secret bit is 1. Thus, Bob can decode by computing the rank of Hr. In general, however, Ȳ may not have the form described above. Nevertheless, as shown in [13], [17], it is possible to extract from ˆV F δ C such that for some V 1 F µ C F ǫ C Ȳ some matrices r FC C r = x+ ˆLV 1 +L 2ˆV +L 3 V 3, ˆL F C µ q, L 2 Fq C δ, L 3 Fq C ǫ. Moreover, it is shown in [17] that µ,δ Z O and ǫ Z O max{µ,δ}. and and V 3 Note that ǫ < C max{µ,δ}, since Z O < C. In possession of r, ˆL and ˆV, Bob is now ready to decode the secrecy layer that has been applied to x. We have Hr = Hx+HˆLV 1 +HL 2ˆV +HL 3 V 3 = S + ˆΛV 1 +Λ 2ˆV +Λ 3 V 3 (10)

5 where ˆΛ = HˆL, Λ 2 = HL 2 and Λ 3 = HL 3. Note that ˆΛ F C µ and ˆV F δ C are known. Now, let J F (C µ) C and K F C (C δ) be fullrank matrices such that JˆΛ = 0 and ˆVK = 0. Then Bob can further simplify (10) by computing JHrK = JSK +JΛ 3 V 3 K. Note that rank(jλ 3 V 3 K) ǫ < C max{µ,δ}. Thus, Bob performs the following test. If JHrK is fullrank, then Bob concludes that bit 1 was sent; otherwise, Bob concludes that bit 0 was sent. With respect to complexity, computing Ȳ takes O(C2 n) = O(C 4 ) operations in F q. Computing J, K, JHrK and the rank of JHrK each take O(C 3 ) operations in F, which amounts to O(C 5 ) in F q. Thus, the overall decoding complexity is O(C 5 ) operations in F q. C. Probability of error analysis When bit 0 is sent, Bob never makes an error; he makes an error if and only if bit 1 is sent and JHrK is not full-rank. Recall that, when bit 1 is sent, S is uniformly distributed over F C C. Due to the secrecy encoding, Calvin has no information about S, and therefore S is statistically independent from Λ 3 V 3. It follows that S = S + Λ 3 V 3 is also uniformly distributed over F C C. Thus, the probability of error when bit 1 is sent is equal to the probability that JS K F (C µ) (C δ) is not full-rank for a uniform S. Lemma 3: If S F C C is uniformly distributed then, for any J F (C µ) C and any K F C (C δ), the matrix JS K is full-rank with probability at least 1 C /. Proof: Without loss of generality, assume µ δ. It suffices to prove the statement for µ = δ; if µ > δ, then removing µ δ columns from K cannot possibly increase the rank of JS K. For any fixed J and K, consider the entries of S as variables taking values in F. Then each entry of JS K is a multivariate polynomial over F with degree at most 1. It follows that det(js K) is a multivariate polynomial over F with degree at most C µ C. Note that, if C, the statement follows trivially, so assume > C. From [21, Lemma 4], we have that P[det(JS K) = 0] C /. Thus, the probability of error of the scheme is upper bounded by C / C/q C, which can be made arbitrarily small by choosing q sufficiently large. This proves Theorem 1. VII. ACHIEVABILITY FOR THEOREM 2 We now describe a coding scheme that achieves rate R = C Z I Z O asymptotically in the packet length n. As before, assume that n is divisible by C and let n = n/c (1+kC ), where k = (bc +1)(b+1)log 2 q. Let H F C C be the parity-check matrix of a [C,Z I ] linear MRD code over F. Let T F C C be an invertible matrix such that the first C Z I rows of T 1 are equal to H. Similarly, let H 0 F R b be the parity-check matrix of a [b,z I ] linear MRD code over F, and let T 0 F b b be an invertible matrix such that the first R rows of T0 1 are equal to H 0. A. Alice s encoder First, [ given ] a message S F R n, Alice computes S x = T 0, where N F ZI n N is chosen independently and uniformly at random. Then, she sets M = φ(x) and generates a string S {0,1} k of k bits according to the scheme described in Section V-B. Next, for each ith bit of S, Alice produces a matrix S i F C C according to the scheme described in Section [ ] VI. Then, for each i = 1,...,k, S she computes x i i = T N i, where each N i F ZI C is chosen uniformly at random and independently from any other variables. Finally, she produces a transmission matrix [ [ ]] M X = I C φ(x 1 ) φ(x 2 ) φ(x k ). 0 B. Bob s decoder For each i = 1,...,k, Bob extracts a submatrix Y i from Y corresponding to the submatrix [ I C φ(x i ) ] from X (i.e., columns 1,...,C,C +(i 1)C +1,...,C +ic ). He then applies on Y i the decoder described in Section VI to obtain each ith bit of S. Similarly, Bob extracts a submatrixy 0 consisting of the first b and the last n [ C rows] of Y. Note that Y 0 = AX 0 + Z 0, where X 0 Ib M = F C (b+n C) q and Z has rank at most Z O. Then, Bob applies the decoder described in Section V-B to obtain M. Finally, Bob computes x = φ 1 (M) and S = H 0 x. C. Overall Analysis 1) Secrecy analysis: The secrecy of the message is guaranteed by the scheme of Section V-A. 2) Error probability analysis: By the union bound, the probability that Bob makes an error when decoding the k- bit secret S is at most kc/q C C 4 (log 2 q)/q C = O( log 2 q q C ). Given that the secret is decoded correctly, the probability that Bob makes an error when decoding the message is at most O(n C2 /q). Thus, the overall probability of error is at most O(n C2 /q). 3) Rate analysis: The rate of the scheme is given by Rn C/n = R(1 (1 + kc )C/n) R RC 5 (log 2 q)/n. Thus, the rate loss is O( log 2 q n ). 4) Complexity analysis: Decoding all the secret bits takes O(kC 5 ) = O(C 8 log 2 q) operations in F q, while decoding the message is dominated by the secrecy decoding step with O(C 4 n) operations in F q. Note: Both the rate loss and the error probability can be made asymptotically small by choosing q to grow faster than polynomially but slower than exponentially in n. For instance, we may choose q = 2 n.

6 VIII. ERRATA FOR [2] We briefly reprise the scheme of [2] before demonstrating the flaw in the proof. In what follows, all operations are over F q. In the scheme of [2] there exist two hash matrices D 0 and D 1 which are chosen independently and uniformly at random C 2 (C Z O ) C 2 Vandermonde matrices, i.e., each column of D 0 and D 1 is of the form h(u) = [u,u 2,...,u C2 (C Z O) ] T, where the generator u is chosen independently and uniformly at random from F q. Both D 0 and D 1 are publicly known to all parties, including Bob and Calvin. Alice s Encoder: Alice first chooses a random length- (C 2 (C Z O ) C 2 ) row vector u. Let I {0,1} be the secret bit that Alice wishes to send to Bob. Alice then constructs the length-1 C 2 row vector r such that [u,r]d I = 0. Note that such r exists since the last C 2 rows of D I form an invertible matrix. Finally the vector [u, r] is rearranged into a (C Z O ) C 2 matrix which is sent through the network via random linear network coding. Bob s Decoder: After receiving the C C 2 matrix Y, for each I {0, 1} Bob check whether there exists C Z O length-c vectors {x i,i [1,C Z O ]} such that [x 1 Y,x 2 Y,...,x C ZO Y]D I = 0. If so, Bob decodes the secret bit as I. The idea is that if I is Alice s bit, such {x i,i [1,C Z O ]} exists for D I with high probability [3]. Calvin s successful attack: When Calvin corrupts Z O C Z O edges, Calvin could mimic Alice s behaviour when she wishes to transmit a particular bit, say 1. As a result Bob would always find length-c row vectors {x i,i [1,C Z O ]} such that [x 1 Y,x 2 Y,...,x C ZO Y]D 1 = 0. In this case Bob cannot determine whether the bit 1 is from Alice or from Calvin. Even if Calvin can only inject Z O < C Z O errors, if Z O + Z I C Z O, there is another successful attack for Calvin. To see that, without loss of generality let Z O +Z I = C Z O. Since Calvin can eavesdrop on Z I packets {y i,i [1,Z I ]}, he can carefully choose his Z O injected error packets {z i,i [1,Z O ]} so that [y 1,...,y ZI,z 1,...,z ZO ]D 1 = 0. In this case, Bob also always decodes its bit as 1. Thus the scheme in [2] only works for the case where C > 2Z O + Z I, which does not improve the result in [3]. Why our scheme works: In our scheme Section VI, instead of distinguishing the bit by the hash matrices, Alice hides her secret in the rank of the bit matrix she transmits. In particular, there is a rank gap C Z I between the bit matrix for bit 0 and the one for bit 1. Thus as long as C Z I > Z O, Calvin cannot mimic Alice any more, since he can only inject Z O errors. As a result Bob can determine Alice s bit by examining the rank of the matrix he decodes. IX. CONCLUSION In this work we considered the problem of communicating information secretly and reliably over a network containing a malicious eavesdropping and jamming adversary. Under the assumptions that vanishingly small probabilities of error and block coding are allowed, we substantially improve on the best achievable rates in prior work [1], and also prove the optimality of our achievable rates. A key component of our code design is a scheme that allows a small amount of information to be transmitted secretly and reliably over the network, as long as the total number of packets that the adversary can either eavesdrop on or jam is less than the communication capacity of the network. In proving this scheme we correct an error in the proof of prior work [2] by a subset of the authors of this work. REFERENCES [1] C.-K. Ngai and R. W. Yeung, Secure error-correcting (sec) network codes, in Proc. Workshop on Network Coding Theory and Applications, Lausanne, Switzerland, Jun , 2009, pp [2] S. Jaggi and M. Langberg, Resilient network codes in the presence of eavesdropping Byzantine adversaries, in Proc. IEEE Int. Symp. Information Theory, June 2007, pp [3] S. Jaggi, M. Langberg, S. Katti, T. Ho, D. Katabi, M. Médard, and M. Effros, Resilient network coding in the presence of Byzantine adversaries, IEEE Trans. Inf. Theory, vol. 54, no. 6, pp , Jun [4] N. Cai and R. W. Yeung, Secure network coding, in Proc. IEEE Int. Symp. Information Theory, Lausanne, Switzerland, Jun. 30 Jul. 5, 2002, p [5] J. Feldman, T. Malkin, C. Stein, and R. A. Servedio, On the capacity of secure network coding, in Proc. 42nd Annual Allerton Conf. on Commun., Control, and Computing, Sep [6] S. Y. E. Rouayheb and E. Soljanin, On wiretap networks II, in Proc. IEEE Int. Symp. Information Theory, Nice, France, Jun , 2007, pp [7] D. Silva and F. R. Kschischang, Security for wiretap networks via rankmetric codes, in Proc. IEEE Int. Symp. Information Theory, Toronto, Canada, Jul. 6 11, 2008, pp [8] P. F. Oliveira and J. Barros, A network coding approach to secret key distribution, IEEE Transactions on Information Forensics and Security, vol. 3, no. 3, pp , [9] T. Ho, B. Leong, R. Koetter, M. Medard, M. Effros, and D. R. Karger, Byzantine modification detection in multicast networks using randomized network coding, IEEE Transactions on Information Theory, vol. 54, no. 6, pp , [10] R. W. Yeung and N. Cai, Network error correction, part i: Basic concepts and upper bounds, Commun. Inf. Syst, vol. 6, no. 1, pp , [11] N. Cai and R. W. Yeung, Network error correction, part ii: Lower bounds, Commun. Inf. Syst, vol. 6, no. 1, pp , [12] R. Matsumoto, Construction algorithm for network error -correcting codes attaining the singleton bound, Oct [13] D. Silva, F. R. Kschischang, and R. Kötter, A rank-metric approach to error control in random network coding, IEEE Trans. Inf. Theory, vol. 54, no. 9, pp , [14] R. Kötter and F. R. Kschischang, Coding for errors and erasures in random network coding, IEEE Trans. Inf. Theory, vol. 54, no. 8, pp , Aug [15] D. Charles, K. Jain, and K. Lauter, Signatures for network coding, in Proc. of The 27th Conference on Computer Communications, [16] F. Zhao, T. Kalker, M. Medard, and J. K. Han, Signatures for content distribution with network coding, in Proc. of ISIT, [17] D. Silva, Error control for network coding, Ph.D. dissertation, University of Toronto, Toronto, Canada, [18] C.-K. Ngai and S. Yang, Deterministic secure error-correcting (sec) network codes, in Proc. IEEE Information Theory Workshop, Tahoe City, CA, Sep. 2 6, 2007, pp [19] D. Silva and F. R. Kschischang, Universal secure network coding via rank-metric codes, IEEE Trans. Inf. Theory, 2008, submitted for publication. [Online]. Available: [20], Universal secure error control schemes for network coding, in Proc. IEEE Int. Symp. Information Theory, [21] T. Ho, M. Médard, R. Koetter, D. R. Karger, M. Effros, J. Shi, and B. Leong, A random linear network coding approach to multicast, IEEE Trans. Inf. Theory, vol. 52, no. 10, pp , Oct